Microsoft licensing for VDA and Office sucks, but will it mess with your consumerization strategy?

Dealing with Microsoft licensing is a pain-it's arcaic, someone is always getting a raw deal, and there's nothing anybody can do about it because Microsoft is a monopoly.

Dealing with Microsoft licensing is a pain—it’s arcaic, someone is always getting a raw deal, and there’s nothing anybody can do about it because Microsoft is a monopoly. It’s natural, then, to be worried about the possible fallout from BYOD and consumerization. But while consumerization does bring the potential for increased licensing costs, does this even matter in a world of SaaS and new mobile platforms?

The licensing issue

Since I’m not a licensing expert, I spent about three days tearing out my hair trying to figure out the answer to just two questions: what scenarios require extra VDA licenses for mobile devices, and how does licensing Office work when it's accessed from mobile devices? I finally gave up and sought out Nathan Coutinho, a previous BriForum speaker and data center virtualization evangelist, and it even took him a bit of poking around to find clear answers to these questions. (Disclaimer: Nathan doesn’t work for Microsoft, so he can’t read the minds of the people that wrote the licensing language. To go straight to the source for this information, check out

I wanted to understand what could happen when employees used personally-owned mobile devices or laptops to access a virtual desktop, either from home or the office. It turns out that both ‘who’ owns the device and ‘where’ its used from actually plays an important role in licensing compliance.

Microsoft VDA (virtual desktop access) licenses have a provision for home use called Extended Roaming Rights (ERR). As long as the person accessing a virtual desktop has a device at work with VDA (remember that if the operating system on a user’s desktop is covered by Software Assurance under the terms of an Enterprise Agreement than it also includes the benefits of VDA), then they’re allowed to access it from any personally-owned device, anywhere, as long as it’s not at work. This privilege applies to the one—and only one—primary user of the VDA-licensed device. For the non-VDA external device, it doesn’t matter whether it’s a laptop, a tablet, a kiosk in a hotel, or any other device (whether personal or corporate owned), as long as the user is outside of their company’s or affilliate’s office, there’s no need for another VDA license. (Imagine someone saying “I felt like working from my own MacBook instead of the corporate thin client in my cubicle, so IT sent me to the Starbucks across the street.”)

When on premises, though, things get more expensive, because any device used to access a virtual desktop at work must have a VDA license, regardless of whether or not the user’s primary endpoint is licensed for VDA. In other words, ‘where’ you access your virtual desktop/application from does matter. Say an employee has a desktop with VDA (because it has SA), and they use it to access a virtual desktop. If that employee wants to use another device—perhaps a laptop or tablet so they can access their virtual desktop while in a conference room—then that device needs a VDA license. The key point to understand here is that at work, every endpoint device that’s used to access a virtual desktop in the data center needs to be covered by SA. If the extra device is a corporate laptop, and it has SA, then it already has a VDA license. But say for example that an employee, tired of being chained to their desk, brought in a MacBook from home. The company would now need to provide another VDA license. That MacBook was perfectly fine at Starbucks, but now it’s costing the company more money. The employee asks, “What about my iPad? No? How about my Kindle Fire? No? Really? That stinks!” At the end of the day, the company can either choose to shell out the money or to just say no; it’s certainly an equally  frustrating situation for the both the employee and IT. Also, regarding this situation, Nathan emphasized that it is the company’s responsibility to audit this which is why having updated IT policies and continually educating end users is important to stay compliant with not just Microsoft software, but any software.

Luckily, with Remote Desktop Session Host, ‘per-user’ RDS CALs make everything much, much easier. These types of client access licenses work anywhere, from home or at work, from any device, as many devices as the user wants...anything! It really is just that easy. Great, right?

Now imaging the potential for problems in environments that mix RDS and VDI. What do you do, send an email to all your employees telling them that if they’re using RDS it’s okay to bring in their personal MacBook/tablet/whatever, but if they’re using VDI, it’s not? This is super confusing for the employees, because among other issues, it’s pretty likely that they can’t even tell the difference—after all, the RDS sessions could have Aero turned on so they look like Windows 7 desktops and not Windows Server, the VDI sessions might be built on a shared image so they feel like RDS, and the users probably click on the same icon to reach both types of desktops!

What about other applications, like Office?

Now let’s throw Office into the equation. All the above scenarios assumed that beyond the VDA license there wouldn’t be any problems with any other software, but unfortunately most of the time users will need more than just an empty desktop shell. I’m just going to talk about Office here because of its ubiquity and for the sake of my sanity.

Office must be licensed on every single end point on company premises that is used to access it. Remember that per-user RDS CAL that was so great? Well, if users need to access Office on those RDS desktops on premise, then every endpoint needs a license for it—a personal MacBook, tablets...everything. All the benefits are gone, and these are now essentially the same restrictions as with VDA because ‘client’ software like Windows 7 and Office are all licensed only by endpoint. 

However, Office licenses that are covered with SA also have ERR, so if the user has a primary device at work that has Office/SA, then they can access Office from home or a coffee shop using their own personal device. This works exactly the same as the ERR SA benefit of VDA.

How does Microsoft keep track of this? The truth is that it’s nearly impossible, and a lot of this is based on the honor system. But since IT has to make an effort for compliance reasons, the end result could often be having to say ‘no’ to personal devices. We all know what the result of that is, and that’s the concept that we’ve been calling FUIT. The users will do whatever they need to do to get around IT and work the way they want to, causing more headaches for everyone involved. At the end of the day, the result is that more devices equals more costs, which frankly shouldn’t be a shocker.

The CoIT issue

These licensing issues are pretty screwy, but all of the above scenarios assume that the users want to be accessing desktops and desktop software. These problems have been around for a lot longer than the current consumerization trend. Now, however, there’s much more potential for users to bring extra devices in the office, or want access with more devices. It could be a nightmare—the next hot new device comes out, and a few people bring it in—suddenly there are more Office licenses or VDA licenses to buy.

Let’s back up. I said that these scenarios assume that employees are accessing desktops and desktop software from all these devices. But do you think for a second that anyone thought to themselves, “I’m going to buy this iPad so I can access a Windows desktop”? It’s a lot more likely that they’re going to go buy Evernote, Docs To Go or QuickOffice.

New devices may create the potential for more licensing costs, but if that’s what worries you about consumerization and BYOD, then you’re approaching it wrong! These costs will certainly be a factor to consider, but more importantly, you should be worrying about how to get all your users to install vetted apps from a corporate app store, deciding on a SaaS strategy, or worrying about providing secure document sharing so employees don’t use Dropbox. Of course, it’s likely that the person in charge of licensing compliance at a company is not the same person that’s worrying about consumerization strategy, and that will remain a tough problem to get solve.

Final thoughts

There’s a lot that we didn’t cover here, like VDA for contractors, VDA for devices that are shared between multiple users, applications other than Office. It’s so hard to cover everything in one article that it’s best to just figure out your actual requirements and then head to Microsoft to find out what you need to cover all your bases.

Don’t like dealing with all this? Mobile devices, other platforms, and the evolution of Microsoft licensing itself (such as the fact that before Server 2003 there were no per-user TS CALs, and VDA used to cost extra for endpoints with SA, for example) will provide alternatives. For right now, though, when it comes down to BYOD and CoIT strategy, does anybody actually worry about the licensing costs more than other aspects?


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Dude, nice work. You're our new licensing guy. You can defer to Nathan, but I'm going to you with everything!

I think it's crazy that VDA is a per device license, but then it can also take the form of a per-user license in the form of ERR. Why not just make it a per-user thing and end it? I know why (money), but still.

I'm certain that there is not a single company in the entire world that is compliant with all these bat *** crazy stipulations.


Simple solution. Deploy OPUS from Orchard Parc and use your Mac for both your personal and your primary work desktop. Provides mobility, and reduces number of devices required, and the number of Microsoft licences.

IT can deliver a secured corporate Mac desktop to the Mac user, which includes their Windows desktop. Data can be maintained behind the firewall or distributed, and users can access data and content from any browser enabled device.


Ahh, but what your sales pitch ignores is the fact that Microsoft will probably still consider that as accessing Windows or Office from another device (and one that can't have SA, at that).


Get in touch, though ( I'd like to hear about it. The site isn't all that descriptive, but it looks like it's using VMware Player or Fusion to run VM's provided by a cloud service.


One thing to add - if you buy an Office 365 subscription, its delivered on a Per User basis.  I believe there are some issues with how many times you can install the included Office 2010 software, but that's one way you can get around the SA and home/office location restrictions.  It's funny, a customer actually pointed out to me that its probably easier to just go BYOD only and just license one VDA lic per personal endpoint and be done with it.  That way the company pays for VDA for a single endpoint, as well as Office.  Of course that still leaves the iPad/iPhone access (at work) as an issue.  But at least you can use your own machine.  Lots of ways to skin this cat.


Very timely.  I was just thinking I was the on the short list of those who should get this but, still don't think we have a complete answer to work with.

Wouldn't it be great if that one person in Mcrosoft who get it read this blog and had a wild hair inclination to help us ensure we're doing it right. I seem to hear crickets from MS when I start asking the real questions.


It’s important to be precise when discussing MS licensing, particularly with regards to running Remote Desktop Services or VDI, and Office running in either of these environments. And, unfortunately, it’s always changing. We picked up a subtle change in the most recent PUR, Product Use Rights document from MS, dated January 2012.

(You can find it here So, I wanted to point out something that isn’t exactly correct from this article.

In the fourth paragraph of the article is the following sentence:

For the non-VDA external device, it doesn’t matter whether it’s a laptop, a tablet, a kiosk in a hotel, or any other device (whether personal or corporate owned), as long as the user is outside of their company’s or affilliate’s office, there’s no need for another VDA license.

For Roaming Use Rights to apply the device being used must fall under the definition of “Qualifying Third Party Device”. I believe that this is what the author is trying to say with the phrase “the non-VDA external device”.  See page 131 of the PUR for the explanation of the Roaming Use Rights benefit. Then from page 7 of the PUR is the definition:

Qualifying Third Party Device means a device that is not controlled, directly or indirectly, by you or your affiliates (e.g., a third party’s public kiosk).

The problem with the definition is the word “controlled”. What does this mean? If the device is owned by the corporation, is that control? If it’s owned personally but “managed” by the corporation, say for instance an iDevice or Android with corporate remote wipe and/or application install prevention, is that control? We used to say that not owning was sufficient to make it a qualifying third party device, but that may not be enough any longer. It will depend on what MS says “controlled” means and what you can negotiate with them.

So it’s not just whether a device is on the companies premises, it must also be a qualifying third party device. Then, as is stated in the article, even if it is a qualifying third party device, if it’s on premises owned or leased by the corporation, RUR don’t apply.

All of the above is that same for Office as long as you maintain Software Assurance on it. It’s important to note that whether one is accessing Office via VDI OR Remote Desktop Services, the above rules apply.


Eric, thanks for pointing this out!